diff options
| author |   waqas.ikram <waqas.ikram@est.tech> | 2021-06-30 14:04:23 +0100 |
|---|---|---|
| committer | waqas.ikram <waqas.ikram@est.tech> | 2021-06-30 14:04:24 +0100 |
| commit | fa22cfa93f7a2533fc2aa8a20e46bfd6a401579f (patch) | |
| tree | 58c598c777a803567a054d902d670c5527f758a0 /bpmn/MSOCoreBPMN | |
| parent | 1a031c0f696370d41f3373a39c54aeba7d35d994 (diff) | |
Fixing XML parsers security bug
Change-Id: I1fbf2b2bd42669d9a3c059c32bb39278bd483d60
Issue-ID: SO-3668
Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'bpmn/MSOCoreBPMN')
| -rw-r--r-- | bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java b/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java index 58238c8ff6..79a4c54e23 100644 --- a/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java +++ b/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java @@ -224,7 +224,7 @@ public final class XmlTool { * @return the contents of the modified XML document as a String or null/empty if the modification failed. * @throws IOException, TransformerException, ParserConfigurationException, SAXException */ - public static Optional<String> modifyElement(String xml, String elementTag, String newValue) + public static Optional<String> modifyElement(final String xml, final String elementTag, final String newValue) throws IOException, TransformerException, ParserConfigurationException, SAXException { if (xml == null || xml.isEmpty()) { @@ -232,15 +232,15 @@ public final class XmlTool { return Optional.empty(); } - DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); + final DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); dbFactory.setNamespaceAware(true); dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - DocumentBuilder db = dbFactory.newDocumentBuilder(); - InputSource source = new InputSource(new StringReader(xml)); - Document doc = db.parse(source); + final DocumentBuilder db = dbFactory.newDocumentBuilder(); + final InputSource source = new InputSource(new StringReader(xml)); + final Document doc = db.parse(source); - Node modNode = doc.getElementsByTagName(elementTag).item(0); + final Node modNode = doc.getElementsByTagName(elementTag).item(0); if (modNode == null) { // did not find the specified element to be modified, return empty // System.out.println("Did not find element tag " + elementTag + " in XML"); @@ -249,9 +249,12 @@ public final class XmlTool { modNode.setTextContent(newValue); } - TransformerFactory transformerFactory = TransformerFactory.newInstance(); - Transformer transformer = transformerFactory.newTransformer(); - StringWriter writer = new StringWriter(); + final TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY); + + final Transformer transformer = transformerFactory.newTransformer(); + final StringWriter writer = new StringWriter(); transformer.transform(new DOMSource(doc), new StreamResult(writer)); // return the modified String representation of the XML return Optional.of(writer.toString().trim()); |